[Samba] Authentication problem

Discussion:

Dr. Harry Knitter

2016-06-29 09:33:06 UTC

I'm setting up a new Samba 4 Domain on a Debian Jessie machine.
The dc works.
Now I'm trying to setup a fileserver following the samba wiki.
winbind is running on both machines, getent and wbinfo show the users and
groups of the domain.

However, when I try
net rpc rights list accounts -U"MYDOM\Administrator"
Enter MYDOM\Administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

What's wrong?

Greetings
Harry

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-29 10:18:05 UTC

Permalink

Try,

net rpc rights list accounts -U"MYDOM\Administrator" -S servername.domain.tld

Since you trying from localhost, it wil always first connect to localhost.
And you domain is not know on localhost..

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: woensdag 29 juni 2016 11:33
Onderwerp: [Samba] Authentication problem
I'm setting up a new Samba 4 Domain on a Debian Jessie machine.
The dc works.
Now I'm trying to setup a fileserver following the samba wiki.
winbind is running on both machines, getent and wbinfo show the users and
groups of the domain.
However, when I try
net rpc rights list accounts -U"MYDOM\Administrator"
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
What's wrong?
Greetings
Harry
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Dr. Harry Knitter

2016-06-29 10:39:06 UTC

Permalink

Post by L.P.H. van Belle
Try,
net rpc rights list accounts -U"MYDOM\Administrator" -S
servername.domain.tld
Since you trying from localhost, it wil always first connect to localhost.
And you domain is not know on localhost..
Greetz,
Louis

Thanks, now it works

Harry

Dr. Harry Knitter

2016-06-29 10:27:38 UTC

Permalink

Post by Dr. Harry Knitter
I'm setting up a new Samba 4 Domain on a Debian Jessie machine.
The dc works.
Now I'm trying to setup a fileserver following the samba wiki.
winbind is running on both machines, getent and wbinfo show the users and
groups of the domain.
However, when I try
net rpc rights list accounts -U"MYDOM\Administrator"
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
What's wrong?
Greetings
Harry

Can you post /etc/resolv.conf and /etc/hosts from the domain member (or
as you call it, 'fileserver)
Rowland

Thanks for your quick reply.

/etc/resolv.conf points to the dc as a nameserver

search mydom.lan
nameserver IP.of.my.dc

/etc/hosts
127.0.0.1 localhost
xxx.xxx.xxx.xxx fs.mydom.lan fs

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

The IPs are correct

Harry

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-29 11:48:42 UTC

Permalink

Hai Rowland, his setup is ok.

Im guessing this has todo with your dhcp options or resolvconf settings or dhcpclient settings or nsswitch.conf resolv order is changes.
Or did you change /etc/hosts.conf to bind,hosts

Its one of the above ;-)

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: woensdag 29 juni 2016 12:40
Onderwerp: Re: [Samba] Authentication problem

Post by Dr. Harry Knitter

and

Post by Dr. Harry Knitter

Post by Dr. Harry Knitter
groups of the domain.
However, when I try
net rpc rights list accounts -U"MYDOM\Administrator"
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
What's wrong?
Greetings
Harry

Can you post /etc/resolv.conf and /etc/hosts from the domain member (or
as you call it, 'fileserver)
Rowland

Thanks for your quick reply.
/etc/resolv.conf points to the dc as a nameserver
search mydom.lan
nameserver IP.of.my.dc
/etc/hosts
127.0.0.1 localhost
xxx.xxx.xxx.xxx fs.mydom.lan fs
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
The IPs are correct
Harry

Nothing seems wrong there, my setup is similar (dhcp instead of your
accounts -U"SAMDOM\Administrator"
BUILTIN\Print Operators
No privileges assigned
..........................
...............
....
I take it the fileserver is joined to the domain, so what is in
/etc/krb5.conf ?
Is a firewall running ?
What is in your smb.conf files, on the DC and fileserver ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-29 12:55:51 UTC

Permalink

Ok, but you changed your hosts file :-p
You removed 127.0.1.1 .. ..

So now then, whats wrong here...

Post by Dr. Harry Knitter
/etc/resolv.conf points to the dc as a nameserver
search mydom.lan
nameserver IP.of.my.dc
/etc/hosts
127.0.0.1 localhost
xxx.xxx.xxx.xxx fs.mydom.lan fs
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Nothing in my opinion.

So a new big mistry..

Why does :
net rpc rights list accounts -U"MYDOM\Administrator"
work with dhcp and a /etc/hosts with only 127.0.0.1 in it.

and why does a server with static ip errors
net rpc rights list accounts -U"MYDOM\Administrator"
Enter MYDOM\Administrator's password:
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

While net rpc rights list accounts -U"MYDOM\Administrator" -S ADDC.MYDOMAIN.TLD work.

A ping ADDC.MYDOMAIN.TLD works also.
And a correct krb5.conf.

cat /etc/krb5.conf
[libdefaults]
default_realm = ROTTERDAM.BAZUIN.NL
dns_lookup_kdc = true

and kinit Administrator
works also..

Rowland can you show me your /etc/dhcp/dhclient.conf,
and the result of the dhcp client. /var/lib/dhcp/dhclient.leases

Can you try this again and add this to your hosts file.

Post by Dr. Harry Knitter
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And try it again also, lets see what happens..
I dont now whats the difference here. You know my setup but i have/had the same as the topic starter.

Greetz,

Louis

Post by Dr. Harry Knitter
-----Oorspronkelijk bericht-----
Cannot agree with you Louis, AD relies on DNS and as such, the net
command should be able to find the DC by dns.
My /etc/resolv.conf searches the domain and uses the DCs as nameservers,
all there is in /etc/hosts (apart from ipv6 lines) is
127.0.0.1 localhost
When I run the same command as the OP (just changing the domain) it
works for me. I would still be interested in seeing the info I last
asked for.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mueller

2016-06-29 13:37:24 UTC

Permalink

Check in your smb.conf of your file servers for:

interfaces =
bind interfaces only =

Could be a reason you cannot connect.

Greetings

Daniel

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Email: ***@tropenklinik.de
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de

-----Ursprüngliche Nachricht-----
Von: L.P.H. van Belle [mailto:***@bazuin.nl]
Gesendet: Mittwoch, 29. Juni 2016 14:56
An: ***@lists.samba.org
Betreff: [SPAMVERDACHT] Re: [Samba] Authentication problem

Ok, but you changed your hosts file :-p
You removed 127.0.1.1 .. ..

So now then, whats wrong here...

Nothing in my opinion.

So a new big mistry..

Why does :
net rpc rights list accounts -U"MYDOM\Administrator"
work with dhcp and a /etc/hosts with only 127.0.0.1 in it.

and why does a server with static ip errors net rpc rights list accounts -U"MYDOM\Administrator"
Enter MYDOM\Administrator's password:
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

While net rpc rights list accounts -U"MYDOM\Administrator" -S ADDC.MYDOMAIN.TLD work.

A ping ADDC.MYDOMAIN.TLD works also.
And a correct krb5.conf.

cat /etc/krb5.conf
[libdefaults]
default_realm = ROTTERDAM.BAZUIN.NL
dns_lookup_kdc = true

and kinit Administrator
works also..

Rowland can you show me your /etc/dhcp/dhclient.conf, and the result of the dhcp client. /var/lib/dhcp/dhclient.leases

Can you try this again and add this to your hosts file.

Post by Dr. Harry Knitter
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And try it again also, lets see what happens..
I dont now whats the difference here. You know my setup but i have/had the same as the topic starter.

Greetz,

Louis

Post by Dr. Harry Knitter
-----Oorspronkelijk bericht-----
Cannot agree with you Louis, AD relies on DNS and as such, the net
command should be able to find the DC by dns.
My /etc/resolv.conf searches the domain and uses the DCs as
nameservers, all there is in /etc/hosts (apart from ipv6 lines) is
127.0.0.1 localhost
When I run the same command as the OP (just changing the domain) it
works for me. I would still be interested in seeing the info I last
asked for.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-29 14:06:19 UTC

Permalink

Good point Daniel, thanks. Worth a try.

I am using :
interfaces = 192.168.0.21 127.0.0.1
bind interfaces only = yes

Rowland, are u using these too?
And you Harry?

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: woensdag 29 juni 2016 15:37
Onderwerp: Re: [Samba] [SPAMVERDACHT] Re: Authentication problem
interfaces =
bind interfaces only =
Could be a reason you cannot connect.
Greetings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 29. Juni 2016 14:56
Betreff: [SPAMVERDACHT] Re: [Samba] Authentication problem
Ok, but you changed your hosts file :-p
You removed 127.0.1.1 .. ..
So now then, whats wrong here...

Nothing in my opinion.
So a new big mistry..
net rpc rights list accounts -U"MYDOM\Administrator"
work with dhcp and a /etc/hosts with only 127.0.0.1 in it.
and why does a server with static ip errors net rpc rights list accounts -
U"MYDOM\Administrator"
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
While net rpc rights list accounts -U"MYDOM\Administrator" -S
ADDC.MYDOMAIN.TLD work.
A ping ADDC.MYDOMAIN.TLD works also.
And a correct krb5.conf.
cat /etc/krb5.conf
[libdefaults]
default_realm = ROTTERDAM.BAZUIN.NL
dns_lookup_kdc = true
and kinit Administrator
works also..
Rowland can you show me your /etc/dhcp/dhclient.conf, and the result of
the dhcp client. /var/lib/dhcp/dhclient.leases
Can you try this again and add this to your hosts file.

Post by Dr. Harry Knitter
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And try it again also, lets see what happens..
I dont now whats the difference here. You know my setup but i have/had the
same as the topic starter.
Greetz,
Louis

Post by Dr. Harry Knitter
-----Oorspronkelijk bericht-----
Cannot agree with you Louis, AD relies on DNS and as such, the net
command should be able to find the DC by dns.
My /etc/resolv.conf searches the domain and uses the DCs as
nameservers, all there is in /etc/hosts (apart from ipv6 lines) is
127.0.0.1 localhost
When I run the same command as the OP (just changing the domain) it
works for me. I would still be interested in seeing the info I last
asked for.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Dr. Harry Knitter

2016-06-30 08:37:59 UTC

Permalink

Post by L.P.H. van Belle
Good point Daniel, thanks. Worth a try.
interfaces = 192.168.0.21 127.0.0.1
bind interfaces only = yes
Rowland, are u using these too?
And you Harry?
Greetz,
Louis

Hello Louis,

I now have added
interfaces = eth0 lo
bind interfaces only = yes

I wanted to avoid using the IPs for more flexibility.

And ist works!

net rpc rights list accounts -U"MYDOM\Administrator"

does not complain any more

Thanks and Greetings to all

Harry

Sketch

2016-06-29 15:31:24 UTC

Permalink

Post by L.P.H. van Belle
Im guessing this has todo with your dhcp options or resolvconf settings or
dhcpclient settings or nsswitch.conf resolv order is changes.
Or did you change /etc/hosts.conf to bind,hosts

Cannot agree with you Louis, AD relies on DNS and as such, the net command
should be able to find the DC by dns.
My /etc/resolv.conf searches the domain and uses the DCs as nameservers, all
there is in /etc/hosts (apart from ipv6 lines) is
127.0.0.1 localhost
When I run the same command as the OP (just changing the domain) it works for
me. I would still be interested in seeing the info I last asked for.

I'm pretty sure AD relies on the OS for name lookups, which means it will
use hosts, DNS, etc, depending on how nsswitch and resolv.conf are
configured...so he may be correct.

BTW, I use bind interfaces only, and I only bind to my external IP. I
have to use -S servername to run that command, as it defaults to
localhost, even though my Samba does not use localhost at all.

One thing I would check is to make sure bind interfaces only is
working as expected by making sure samba is listening on 127.0.0.1:

# netstat -anp |grep 445.*LISTEN
tcp 0 0 10.10.10.54:445 0.0.0.0:* LISTEN 1571/smbd

In my case it's not, only on 10.10.10.54.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-30 06:42:25 UTC

Permalink

Thanks Sketch for your info also.

So I thinks we can conclude that somewhere there is a behaivor change in
resolving when using bind interfaces in smb.conf.
Then we need the -S servername parameter.

I made a small change in the wiki:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

But maybe this needs a bit more investigation and optional report it as minor bug.

Question now for the devs, is this by design of minor bug.

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: woensdag 29 juni 2016 17:31
Aan: Rowland penny
Onderwerp: Re: [Samba] Authentication problem

Post by Dr. Harry Knitter

Post by L.P.H. van Belle
Im guessing this has todo with your dhcp options or resolvconf

settings or

Post by Dr. Harry Knitter

Post by L.P.H. van Belle
dhcpclient settings or nsswitch.conf resolv order is changes.
Or did you change /etc/hosts.conf to bind,hosts

Cannot agree with you Louis, AD relies on DNS and as such, the net

command

Post by Dr. Harry Knitter
should be able to find the DC by dns.
My /etc/resolv.conf searches the domain and uses the DCs as nameservers,

all

Post by Dr. Harry Knitter
there is in /etc/hosts (apart from ipv6 lines) is
127.0.0.1 localhost
When I run the same command as the OP (just changing the domain) it

works for

Post by Dr. Harry Knitter
me. I would still be interested in seeing the info I last asked for.

I'm pretty sure AD relies on the OS for name lookups, which means it will
use hosts, DNS, etc, depending on how nsswitch and resolv.conf are
configured...so he may be correct.
BTW, I use bind interfaces only, and I only bind to my external IP. I
have to use -S servername to run that command, as it defaults to
localhost, even though my Samba does not use localhost at all.
One thing I would check is to make sure bind interfaces only is
# netstat -anp |grep 445.*LISTEN
tcp 0 0 10.10.10.54:445 0.0.0.0:*
LISTEN 1571/smbd
In my case it's not, only on 10.10.10.54.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Continue reading on narkive:

Search results for '[Samba] Authentication problem' (Questions and Answers)

replies

WiFi "Authentication Problem"?

started 2013-08-07 22:17:39 UTC

computer networking

replies

Why isnt my phone connecting to my wi-fi?? (Authentication problem)?

started 2013-08-29 07:06:33 UTC

computer networking

replies